Bash Script to assume a role with AWS and a subshell (experiment)
A simple bash script that uses your current aws profile (AWS_PROFILE) and load the required environement variables to assume a specified role (using the environment variable named ROLE_TO_ASSUME
)
This approach was tricky to think about, mostly because the subshell doesn’t allow to pass exported environment variables to the parent shell. (I did also try to do the same thing with NodeJS instead of bash but the same issue occured)
It is not implemented with MFA support as it is. But it can be easily adapted to support it
Note
The simplest way to do all that, is still by using the AWS_PROFILE approach and configure each roles inside the ~/.aws/credentials
file. Then you can simply change your AWS_PROFILE to point to the different account and assuming the wanted role.
This article was only an experiment to see if we can simplify the assuming role process when having multiple accounts and roles for different type of tasks.
The script
#!/bin/bash
RED='\033[0;31m'
NC='\033[0m' # No Color
ROLE_ARN=$ROLE_TO_ASSUME
ROLE_SESSION_NAME="ops"
if [ "$ROLE_ARN" == "" ]; then
echo "No ROLE_TO_ASSUME defined"
exit 1;
fi
ASSUMED_ROLE=$(aws sts assume-role --role-arn $ROLE_ARN --role-session-name $ROLE_SESSION_NAME)
if [ $? -ne 0 ]; then
echo "Failed to assume the role defined"
exit 2;
fi
export AWS_ACCESS_KEY_ID=$(echo $ASSUMED_ROLE | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $ASSUMED_ROLE | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $ASSUMED_ROLE | jq -r '.Credentials.SessionToken')
unset AWS_PROFILE
unset ROLE_TO_ASSUME
CUSTOM_PROMPT=$(echo $ROLE_ARN | cut -d / -f2)
ACCOUNT_ID=$(echo $ROLE_ARN | cut -d: -f5)
CWD=$(echo $PWD | rev | cut -d/ -f1)
export PS1="$CWD (${RED}$ACCOUNT_ID:$CUSTOM_PROMPT${NC}) % "
How to use
export AWS_PROFILE=my-aws-profile
export AWS_REGION=ca-central-1
ROLE_TO_ASSUME="arn:aws:iam::123456789012:role/role-name-to-assume" \
/bin/bash -rcfile ./assume-role.sh -i
aws sts get-caller-identity
# ctrl+d to quit the subshell
Alias
! grep -q 'alias assume-role' ~/.zshrc; [ $? -eq 0 ] && echo -e "\nalias assume-role='/bin/bash -rcfile $PWD/assume-role.sh -i'" >> ~/.zshrc || echo '[assume-role] alias already configured'
source ~/.zshrc
Example
export ROLE_TO_ASSUME="arn:aws:iam::123456789012:role/role-name-to-assume"
assume-role
Output:
tgingras@tommys-MacBook-Air sts % assume-role
The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
sts (123456789012:role-name-to-assume) %
env | grep AWS
Output:
AWS_SESSION_TOKEN=...
AWS_SECRET_ACCESS_KEY=...
AWS_ACCESS_KEY_ID=...
You can use this command to confirm that you are using the wanted role: aws sts get-caller-identity
And to exit the shell, simply type: exit
or use ctrl+d